7fd66160f5ad92368a4af93dfb893b4f61d351318f60a5b2621972744afd9335

General

Target

tmp.exe
Size

385KB
MD5

45282758d466aa702d8198b69791d69e
SHA1

797bd612df0b1cda746517cddeef7ca480643316
SHA256

7fd66160f5ad92368a4af93dfb893b4f61d351318f60a5b2621972744afd9335
SHA512

e65ea0cdbe2f9da2b8122f96cc5e21b83a24fde859012b045e846dae770f733622a2ec89eb6f31d9addd86c2b62864924bf74e96b89b7aad3572ea2d27fa46fe
SSDEEP

6144:jNxSTVMOCjxlBqQshujYphtTIKcC/DqR3Vu5b823YTzu1vNalT/hwFBjDzVH+fM:jNxSTuUo0ZTIfC/qc5b7NxyT/OPtv

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	rsautoup_.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\C:\Users\Admin\AppData\Local\Temp\rsautoup_.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rsautoup_.exe:*:Enabled:RSupport AutoUpdate"	rsautoup_.exe
Key created	\REGISTRY\MACHINE\System\CONTROLSET002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	rsautoup_.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	rsautoup_.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	rsautoup_.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\C:\Users\Admin\AppData\Local\Temp\rsautoup_.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rsautoup_.exe:*:Enabled:RSupport AutoUpdate"	rsautoup_.exe

Executes dropped EXE 2 IoCs

pid	Process
1692	rsautoup.exe
3860	rsautoup_.exe

Loads dropped DLL 1 IoCs

pid	Process
3860	rsautoup_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1692	rsautoup.exe
3860	rsautoup_.exe
3860	rsautoup_.exe
3860	rsautoup_.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 1692	4568	tmp.exe	81
PID 4568 wrote to memory of 1692	4568	tmp.exe	81
PID 4568 wrote to memory of 1692	4568	tmp.exe	81
PID 1692 wrote to memory of 3860	1692	rsautoup.exe	82
PID 1692 wrote to memory of 3860	1692	rsautoup.exe	82
PID 1692 wrote to memory of 3860	1692	rsautoup.exe	82

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Local\Temp\rsautoup.exe
  "C:\Users\Admin\AppData\Local\Temp\rsautoup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\rsautoup_.exe
    "C:\Users\Admin\AppData\Local\Temp\rsautoup_.exe" -autoup
    3⤵
    - Modifies firewall policy service
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RSEncrypt.dll

Filesize
73KB

MD5
fc01759960722a42ca655af79cdc9c6d

SHA1
f3c6ae575e296d59a1c37acade6405547fae2e53

SHA256
eb5803aefed58f5243e783afa0183956fecf757d116ab97f60bb04f6a797223e

SHA512
ca9bb15fdb98864b23e1262ae4ec5e4d7479798f049fd92d3c4b9b1a6651f20c616304fe4e9ffdde53d3690c8c452b23ca3cd5bdc4a0057c113df4375f79f204

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsautoup.exe

Filesize
509KB

MD5
541543eae801259b09f7f49e4feba391

SHA1
afb49df0b5907e38e44bea62620abbf49d4d3e80

SHA256
aa82b17d0332247f99eaecc2efe7eb3374b6c7aa88393740e2ef01ab4f5d00b7

SHA512
e0972e9a9f17f088f96b4a41071bb826f398afd1e369a0d934713ec1f9382e8200a303c6924949bfcc3b6fb412ec695ccfd6d5f35588b804326333224153c006

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsautoup.exe

Filesize
509KB

MD5
541543eae801259b09f7f49e4feba391

SHA1
afb49df0b5907e38e44bea62620abbf49d4d3e80

SHA256
aa82b17d0332247f99eaecc2efe7eb3374b6c7aa88393740e2ef01ab4f5d00b7

SHA512
e0972e9a9f17f088f96b4a41071bb826f398afd1e369a0d934713ec1f9382e8200a303c6924949bfcc3b6fb412ec695ccfd6d5f35588b804326333224153c006

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsautoup.exe

Filesize
509KB

MD5
541543eae801259b09f7f49e4feba391

SHA1
afb49df0b5907e38e44bea62620abbf49d4d3e80

SHA256
aa82b17d0332247f99eaecc2efe7eb3374b6c7aa88393740e2ef01ab4f5d00b7

SHA512
e0972e9a9f17f088f96b4a41071bb826f398afd1e369a0d934713ec1f9382e8200a303c6924949bfcc3b6fb412ec695ccfd6d5f35588b804326333224153c006

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsautoup.lng

Filesize
8KB

MD5
3f741041ce087d542614520e85e01968

SHA1
0f82350639280821e7ee8bffc6716e70093ccb8f

SHA256
7f47f8803c8ab301c9d79f7e9dda4c88f7498a427dabaa5f86e99389b51e35ae

SHA512
e387e503ba7aeb48b5ed3f702187b618d013022cddfe24ebda5a771adc031ef40f4f604d7592930bef58b9391a21688671ebedec7dd1acdcb5efd8e26204e1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsautoup_.exe

Filesize
509KB

MD5
541543eae801259b09f7f49e4feba391

SHA1
afb49df0b5907e38e44bea62620abbf49d4d3e80

SHA256
aa82b17d0332247f99eaecc2efe7eb3374b6c7aa88393740e2ef01ab4f5d00b7

SHA512
e0972e9a9f17f088f96b4a41071bb826f398afd1e369a0d934713ec1f9382e8200a303c6924949bfcc3b6fb412ec695ccfd6d5f35588b804326333224153c006

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsautoup_.exe

Filesize
509KB

MD5
541543eae801259b09f7f49e4feba391

SHA1
afb49df0b5907e38e44bea62620abbf49d4d3e80

SHA256
aa82b17d0332247f99eaecc2efe7eb3374b6c7aa88393740e2ef01ab4f5d00b7

SHA512
e0972e9a9f17f088f96b4a41071bb826f398afd1e369a0d934713ec1f9382e8200a303c6924949bfcc3b6fb412ec695ccfd6d5f35588b804326333224153c006

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsencrypt.dll

Filesize
73KB

MD5
fc01759960722a42ca655af79cdc9c6d

SHA1
f3c6ae575e296d59a1c37acade6405547fae2e53

SHA256
eb5803aefed58f5243e783afa0183956fecf757d116ab97f60bb04f6a797223e

SHA512
ca9bb15fdb98864b23e1262ae4ec5e4d7479798f049fd92d3c4b9b1a6651f20c616304fe4e9ffdde53d3690c8c452b23ca3cd5bdc4a0057c113df4375f79f204

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads